July 24, 2012

Black Hat And DefCon Are Strange Bedfellows

by editor

Peter Suciu for redOrbit.com — Your Universe Online

Las Vegas is home to many trade shows, and sometimes attendees of one head over to another. This is notable when the Consumer Electronics Show storms into Sin City in early January, and many attendees of the world´s largest trade event head over to the AVN Show — the latter being the Adult Video News or “porn show.”

But this week many high-level security experts who are in Vegas for the Black Hat USA security conference will likely stick around for DefCon, which opens later this week.

The former is the up and up event with sponsors that include Amazon.com, Cisco, Hewlett Packard, IBM, Looking Glass, Microsoft and Qualys. The conference is expected to draw somewhere between 6,500 and 7,500 attendees — most invite only — and feature 82 sessions. The event will also include the release of 36 new security tools, 49 on-stage demonstrations and 17 zero-day disclosures.

It promises to be the biggest Black Hat event to date.

“Black Hat, since inception, has moved the security conversation forward, bringing research and its far-reaching implications to light,” Terry Ford, general manager of the conference, told eWeek. “Part of this has had a direct impact on the vendor's 'age of innocence.' Over the years, we have all seen the news where Black Hat researchers have had gag orders executed, cease-and-desist notifications served. Most vendors now understand that security must be addressed directly–not buried by legal teams filing paperwork while marketers spin messaging.”

By contrast the other conference is far less “official.” It offers all-night hacker duels, and attendees pay $200 each — in cash no less — to attend the conference, which offers panels on hacking smartphones, power grids and even door locks.

But there is irony in how the two worlds — that of security experts and hackers — is merging. The founder of both Def Con and Black Hat is Jeff Moss, which is now chief of security for US-based Internet Corporation for Assigned Names and Numbers (ICANN), the agency in charge of websites addresses.

The phrase that quickly comes to mind is the Latin “Quis custodiet ipsos custodes?” In other words, in English words at least, it is “Who will guard the guards themselves?” That maybe a question yet to be answered.

Just more irony, but then again so is the fact that Def Con usually offers a “top-secret VIP speaker,” and this year it will be U.S. National Security Agency (NSA) director General Keith Alexander, whose presentation is reportedly titled “Shared Values, Shared Responsibility.”

For many Black Hat event attendees it might have seemed as though the Def Con hijinks started early. As Black Hat kicked off Monday, security professionals received what looked like a phishing attack in their email in-boxes. The email, which came from an address ITN, reportedly featured the subject-line: “Your admin password” and suggested the recipient had requested a password change.

Most attendees likely assumed it was a joke, the usual sort of thing that is played around this time of year.

But as this week is about irony, so too was the message. That´s because it wasn´t a faux phishing scare as much as it was a non-faux phishing scare — or rather it was real in a way.

According to a post on the Black Hat blog by Trey Ford, the email was real, but sent out mistakenly by ITN — which just happens to be the contractor hired by Black Hat to handle registration at the conference. In a word: oops!

“Hanlon's Razor states, ℠Never attribute to malice that which is adequately explained by stupidity,´” Ford's blog begins. “We love to tease people that your systems need to be ready to hold their own if joining the Black Hat network. In this frame of mind, the community very correctly expected a prank or act of malice. The far more concerning thought would be how is ANYONE other than Black Hat emailing the registered delegates for the 2012 show? Some data is shared on a need-to-know basis with some key partners, one of which is ITN, which is handling our on-site registration and check-in systems at the show this year.”

So how did it happen? According to online reports a “overeager” volunteer sent out a premature message by using an over-privileged feature in the registration application.

This is the sort of thing that those attending Black Hat look to close while those at Def Con may look to exploit.